Omise & GitHub

In 2021, over 2.14 billion people worldwide are expected to buy something online.* Whether they’re paying for a pair of hiking boots or a weekend trip to the mountains, they’re sharing something valuable: credit card numbers, account information, and more. With billions of transactions between people and servers happening every day, customers need to know their information is headed somewhere safe—and retailers need the buying process to stay as simple as possible. This is where Omise comes in.

Omise provides its clients—including McDonald’s Thailand, Japanese drug store chain Tsuruha, and insurance company, Allianz Ayudhya—with the tools they need to connect with millions of potential customers and accept secure payments across multiple devices. At the heart of the operation are those secure online payments. In a world where even the most successful companies are hacked, you can never be too careful.

Since Omise handles the data of branded credit cards, including Visa, Mastercard, and JCB, they must obtain and hold a PCI Standard. This Standard, which requires an annual audit conducted by a Qualified Security Assessor (QSA), was created to increase controls around cardholder data and reduce potential fraud over multiple devices, including phones, tablets, and computers. In other words: Make sure credit card numbers don’t end up in the wrong hands.

Back in 2014, when Omise was a five-person team, they learned they couldn’t use shared servers to host their code if they were going to stay PCI-compliant—so they started to search for a viable solution.

While doing their due diligence, GitHub Enterprise Server stood out—not only as the answer to these needs, but as a partner to help Omise scale globally without compromising security. Chief Technology Officer Robin Clart explained that, We looked into other tools a little bit, but they couldn’t compare. The lack of features was too great. And the lack of integration was a huge hurdle.

The fact that Omise could host code on their own servers—and on one platform—was a fundamental requirement, and since the team already had experience with GitHub, they didn’t need to worry about losing time to training. With a notable amount of code already hosted on GitHub, including pull requests and issues, migration to their own servers was integral to the switch. The GitHub team was very responsive and quick to provide a tool for migrating our projects, said Clart.

Initial migration from GitHub Team to Enterprise Server was a seamless process that took just two short weeks. Chief Information Officer Frederico Araujo said they relied on a GitHub Solutions Engineer and it was all quite easy. We didn’t have to do much. The team was immediately impressed by the low latency of Enterprise Server. The Asia-based servers push directly to operational hubs in Singapore, Japan, Thailand, and Indonesia, and Clart said the average ping is 30 milliseconds.

Pushing to repositories is a lot faster. We get pretty much an immediate response from servers.

Omise has grown from five to 80 employees and matured as an organization, adopting an arsenal of best practices powered by GitHub. They’ve also been able to integrate additional tools with all of their code in one place: Jenkins for CI/CD, Google Cloud Platform and Kubernetes, Phabricator, and Slack. Their Jenkins pipeline, in particular, automates error reporting to identify which deployed releases might have issues. And with three PCI audits in the books since switching to GitHub Enterprise, it’s safe to say their new way of working was a success.

The full PCI audit process can take anywhere from two to four weeks, but Omise is getting faster and better as technology improves. GitHub Enterprise can operate on a company’s existing infrastructure with established information security controls, allowing the team to determine the specific merge conditions necessary to stay compliant and make audits smoother. Omise can also choose the number of reviewers and specify code owners. It’s making our process a lot better, said Clart. The fact that they can self-audit is also helpful. Araujo explained that, we have a repo on GitHub that takes care of the auditing. All of the audits, they’re all in Git.

To help enforce critical business rules, meet compliance requirements, and help prevent undesired changes, Omise uses pre-receive hooks, a powerful tool supported by Enterprise Server. When credit card information is at stake, this is particularly important. In the wrong hands, the cards could be exfiltrated.

With Enterprise Server, the Omise teams can follow up-to-date software best practices within strict security requirements. All of the codes need to be checked in a safe and secure manner, and no one can access it without proper authorization, said Clart.

We have very tight control over where the code is stored, who has access to it, and who can change it.

In terms of hiring, the global presence of GitHub has facilitated Omise’s processes in Thailand, Singapore, Japan, and Europe. A lot of developers already have a lot of experience with GitHub, said Clart. Everybody knows how it works. A virtual appliance that includes all required software, GitHub Enterprise provides a new level of visibility and accelerates onboarding; it takes less than a day to get an engineer up to speed. The GitHub portion is very fast, said Clart. It makes onboarding a piece of cake.

Once hired, employees from all corners of the world—including the United States, Japan, Thailand, Vietnam, Africa, and Poland—need to efficiently collaborate. Clart explained, Everything is asynchronous, so you leave reviews and people come back to them when they’re ready. The process is as simple and seamless as if they were together in one room.

You just change the code that’s needed and get their approval. Merge, deploy, done.

For Omise, GitHub is exactly what they needed to streamline their auditing processes, facilitate international growth, and deliver a reliable product to their consumers. As the company grows, GitHub will scale to meet their evolving needs and support a global, distributed workforce. For us, using GitHub is perfect, said Clart. If people need very tight control around sensitive information and don’t want to disturb their engineering team, it’s a no-brainer.